feat(profile): general update.

2024-03-10 19:35:04 +00:00 · 2024-03-10 19:35:04 +00:00 · beaf1bad16
commit beaf1bad16
parent b0d52d68f4
29 changed files with 121 additions and 58 deletions
--- a/apparmor.d/groups/gnome/gdm
+++ b/apparmor.d/groups/gnome/gdm
@ -33,15 +33,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
  # dbus: own bus=system name=org.gnome.DisplayManager

  # dbus: talk bus=system name=org.freedesktop.login1 label=systemd-logind
-
-  dbus send bus=system path=/org/freedesktop/Accounts
-       interface=org.freedesktop.Accounts
-       member={ListCachedUsers,UserAdded}
-       peer=(name=:*, label=accounts-daemon),
-  dbus send bus=system path=/org/freedesktop/Accounts
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=:*, label=accounts-daemon),
+  # dbus: talk bus=system name=org.freedesktop.Accounts label=accounts-daemon

  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
--- a/apparmor.d/groups/gnome/gnome-keyring-daemon
+++ b/apparmor.d/groups/gnome/gnome-keyring-daemon
@ -58,7 +58,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/ w,
  owner @{run}/user/@{uid}/keyring/ rw,
  owner @{run}/user/@{uid}/keyring/* rw,
-  owner @{run}/user/@{uid}/ssh-askpass.[0-9A-Z]*/{,*} rw,
+  owner @{run}/user/@{uid}/ssh-askpass.@{rand6}/{,*} rw,
        @{run}/user/@{uid}/keyring/control r,

  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/groups/gnome/gsd-sharing
+++ b/apparmor.d/groups/gnome/gsd-sharing
@ -39,7 +39,7 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,

-  @{run}/systemd/sessions/@{int} r,
+  @{run}/systemd/sessions/* r,
  @{run}/systemd/users/@{uid} r,

  @{PROC}/@{pid}/cgroup r,
--- a/apparmor.d/groups/gnome/loupe
+++ b/apparmor.d/groups/gnome/loupe
@ -9,25 +9,38 @@ include <tunables/global>
@{exec_path} = @{bin}/loupe
 profile loupe @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/bwrap>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
+  include <abstractions/user-read>
+
+  signal (send) set=(kill) peer=loupe//bwrap,

  @{exec_path} mr,

-  @{bin}/bwrap rix,
-  @{lib}/glycin-loaders/*/glycin-image-rs rix,
+  @{bin}/bwrap rCx -> bwrap,

  /usr/share/glycin-loaders/{,**} r,

-  owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} r,
-  owner @{user_books_dirs}/{,**} r,
-  owner @{user_download_dirs}/{,**} r,
-  owner @{user_pictures_dirs}/{,**} r,
-  owner @{user_torrents_dirs}/{,**} r,
-  owner @{user_work_dirs}/{,**} r,
+  @{sys}/fs/cgroup/user.slice/cpu.max r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
+
+  owner @{PROC}/@{pid}/cgroup r,
+
+  profile bwrap flags=(attach_disconnected) {
+    include <abstractions/base>
+    include <abstractions/bwrap>
+
+    signal (receive) set=(kill) peer=loupe,
+
+    @{bin}/bwrap mr,
+    @{lib}/glycin-loaders/*/glycin-image-rs rix,
+
+    include if exists <local/loupe_bwrap>
+  }

  include if exists <local/loupe>
 }